Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label software exploitation. Show all posts

The Rise of RustDoor and ALPHV Ransomware



According to a recent finding, cybersecurity researchers at Bitdefender have identified a concerning development in the growing pool of threats, as a new backdoor named Trojan.MAC.RustDoor is targeting macOS users. This particular threat bears connections to the nefarious ransomware family known as BlackCat/ALPHV, which has traditionally focused on Windows systems.

The Trojan.MAC.RustDoor operates by disguising itself as an update for the widely-used Visual Studio code editor, a tactic commonly employed by cybercriminals to deceive unsuspecting users. What sets this backdoor apart is its use of the Rust programming language, making it a unique and sophisticated threat in the macOS workings. Bitdefender's advisory reveals that various iterations of this backdoor have been active for at least three months.

The malware's operating method involves collecting data from users' Desktop and Documents folders, including personal notes, which are then compressed into a ZIP archive. Subsequently, this sensitive information is transmitted to a command-and-control (C2) server, giving the attackers unauthorised access to the compromised systems.

Bitdefender researcher Andrei Lapusneau, in the advisory, emphasises that while there is not enough information to definitively attribute this campaign to a specific threat actor, certain artefacts and indicators of compromise (IoCs) suggest a possible link to the BlackBasta and ALPHV/BlackCat ransomware operators. Notably, three out of the four identified command-and-control servers have previously been associated with ransomware campaigns targeting Windows clients.

It is worth noting that the ALPHV/BlackCat ransomware, like Trojan.MAC.RustDoor, is coded in Rust, indicating a potential connection between the two threats. Historically, the BlackCat/ALPHV ransomware group has predominantly targeted Windows systems, with a particular focus on Microsoft Exchange Services.

As cybersecurity threats continue to multiply its digital presence, it is crucial for macOS users to remain vigilant and take proactive measures to protect their systems. This latest event underscores the importance of staying informed about potential threats and adopting best practices for withstanding cybersecurity hassles.

The users are advised to exercise caution when downloading and installing software updates, especially from unofficial sources. Employing reputable antivirus software and keeping systems up-to-date with the latest security patches can also serve as effective measures to mitigate the risk of falling short to such malicious activities.

The identification of Trojan.MAC.RustDoor serves as a reminder that threats can manifest in unexpected ways, emphasising the need for ongoing practical methods and collaboration within the cybersecurity community to safeguard users against these potential cyber threats.


Fortra's GoAnywhere MFT Software Faces Exploitation, No Evidence of Active Exploitation Detected

 

Reports on the exploitation of Fortra's GoAnywhere MFT file transfer software raised concerns due to the potential development of exploit code from a publicly released Proof of Concept (PoC). As of Thursday afternoon, there was no evidence of active exploitation.

Researchers from Shadowserver, in a post dated January 25, noted over 120 instances of exploits based on the publicly released PoC code. However, they suggested that widespread success for attackers is unlikely due to the limited exposure of admin portals (only 50) and the majority being patched.

The vulnerability, identified as CVE-2024-0204 with a CVSSv3 score of 9.8, enables hackers to remotely create a new admin user through the software’s administration portal. This issue emerged a year after the Clop ransomware gang exploited a GoAnywhere MFT zero-day vulnerability, compromising over 130 organizations. Fortra responded by releasing a patch on January 22, urging immediate action from security teams. The company had notified customers on December 4 and released the patch on December 7.

Ashley Leonard, CEO at Syxsense, emphasized the critical nature of the CVE, stating that the vulnerability allows unauthorized users to bypass authentication and create a new admin account remotely.

Despite the lack of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has not included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. CISA defines "active exploitation" based on real-time success demonstrated by threat actors in the wild.

Ransomware groups have historically utilized file transfer software in their tactics, with examples like REvil using GoAnywhere MFT for deploying malware and exfiltrating sensitive data. Though REvil is no longer active, similar tactics persist, and groups like LockBit are known to exploit new vulnerabilities swiftly. Security experts advise organizations leveraging the software to patch immediately, considering the potential threat.

Callie Guenther, senior manager of cyber threat research at Critical Start, highlighted the relative ease of exploiting the Fortra GoAnywhere MFT vulnerability, described as a "1998 style" path traversal flaw. With the PoC available and the simplicity of exploitation, there are concerns that threat actors might start scanning for vulnerable instances of GoAnywhere MFT to exploit the flaw. While it's uncertain if CISA will include this flaw in the KEV catalog, they have previously issued advisories for similar vulnerabilities and added a remote code injection issue in Fortra's GoAnywhere MFT (CVE-2023-0669) to the catalog.